EFA best practice (DNS recursion enabled)

General eFa discussion
Post Reply
tcabot73
Posts: 1
Joined: 14 Apr 2020 13:13

EFA best practice (DNS recursion enabled)

Post by tcabot73 » 14 Apr 2020 13:34

First off I’ve been using EFA for years now and it’s a great solution, especially the grey listing feature, works wonders for the blanket SPAM my wife’s accounts get.

With the last update having DNS recursion disabled broke inbound email, that being said I understand it’s preferred to have recursion enabled. I have a split DNS setup and the email servers resolve to an external IP address with recursion set to enabled in EFA-Configuration, but EFA sits in a DMZ and needs to send email to the internal IP of the email load balancer. What is recommended for this situation? Is everyone adding static entries in EFA OS to resolve just the internal IP of the mail server/s and local domains? I would like to have my setup best practice if at all possible, to avoid issues in the future.

Hopefully I'm understanding this all correctly, please correct me if I'm wrong.
2020-04-14_6-29-03.png
2020-04-14_6-29-03.png (6.06 KiB) Viewed 270 times

User avatar
shawniverson
Posts: 3087
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA best practice (DNS recursion enabled)

Post by shawniverson » 14 Apr 2020 18:46

Good question, and the answer is you can make an exception to the recursion in unbound DNS a couple of different ways.

I'll write up the steps. I haven't added the ability to do this to the TUI, but it is pretty straightforward
Version eFa 4.0.2 now available!

jogomes
Posts: 17
Joined: 12 Oct 2016 15:59

Re: EFA best practice (DNS recursion enabled)

Post by jogomes » 15 Apr 2020 08:32

Hello to all,

The last update to the EFA 4.0.2 also 'broke' the inbound for my EFA. Had to enable the Recursion DNS to be able to receive inbound emails.

I use an internal FW DNS and also have an internal AD DNS. I had the internal FW DNS configured since I want only one DNS resolving all internal requests to the outside.

Thanks for your great work.
Regards.
JG

smyers119
Posts: 73
Joined: 29 Nov 2019 11:36

Re: EFA best practice (DNS recursion enabled)

Post by smyers119 » 17 Apr 2020 01:00

eFa uses unbound for DNS.

Step 1: ssh and then select 1 for "shell"

Step 2: Create a new file

Code: Select all

sudo vi /etc/unbound/local.d/local.conf
Step 3: Add your local dns entries (check man page for syntax)
Example:

Code: Select all

#My dns additions
local-data: "sub.example.com A 192.168.100.105"
local-data-ptr: "192.168.100.105 sub.example.com"
(For more advanced setups you can create a stub zone.)

Code: Select all

 private-domain: "example.com"
 local-zone: "1.168.192.in-addr.arpa." nodefault
 stub-zone:
       name: "example.com"
       stub-addr: 192.168.1.100@53
Step 4: restart unbound

Code: Select all

sudo service unbound restart

User avatar
shawniverson
Posts: 3087
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA best practice (DNS recursion enabled)

Post by shawniverson » 18 Apr 2020 16:19

This is one way. Another is to do this is using forward zones.

Create a /etc/unbound/conf.d/localforward.conf

Code: Select all

forward-zone:
  name: example.net.
  forward-addr: <example.net IP1>
  forward-addr: <example.net IP2>
  forward-first: no

Code: Select all

sudo systemctl reload unbound
Version eFa 4.0.2 now available!

Post Reply